SEOUL—North Korea’s cyberarmy has splintered into multiple groups and is unleashing orchestrated attacks increasingly focused on funneling stolen funds to the secretive nation, according to a government-backed South Korean report released Thursday.

The emphasis on finances represents a significant shift from Pyongyang’s prior patterns of attack seeking to obtain military information, destabilize networks or intimidate. It also shows how North Korea’s fast-evolving—but costly—nuclear-missile program has accelerated its need for cash as it is subjected to financial sanctions.

Cybersecurity researchers have long suspected the hacking group Lazarus carried out those attacks with the backing of North Korea. Earlier this year, Russian cybersecurity firm Kaspersky Lab AO identified an offshoot of Lazarus, called BlueNoroff, which specializes in heists of foreign financial institutions.

In the new report, the government-funded Korea Financial Security Institute said it had identified a second group linked with Lazarus that has carried out a range of cyberattacks on South Korea. FSI researchers found eight attacks from 2013 to May conducted by this new hacking operative, which they call “Andariel,” and whose coding and internet-protocol address bear similarities to Lazarus attacks.

The efforts include even low-level scams such as planting malware in South Korean ATMs to steal bank-card information, according to the FSI report, the country’s first-ever public report on North Korean cyberattacks, with law enforcement and intelligence officials getting briefed on the findings. That is behavior more typical of an organized-crime ring.

Kim Jong-un North Korea’s top leader, and his wife Ri Sol-ju in

North Korean operatives then sold the swiped data to people in Taiwan, China and Thailand who would try to withdraw money from ATMs in their own regions. But only several thousand dollars were withdrawn before South Korean law enforcement identified the ruse after six days.

“North Korea now cares more about making money than causing disruptions or cyberterrorism,” said Joon Kim, owner of Naru Security Inc., who has advised South Korean law enforcement on cyber issues.

South Koreans have a unique lens into North Korea’s cyberoffenses, as Pyongyang’s longest-running and most frequent target. South Korean government groups and agencies withstand 1.4 million hacking attempts a day, according to law-enforcement and intelligence officials.

The eight Andariel attacks shared similarities in hacking tools and encrypted codes. To access “web shells,” or servers used by hackers that allow them to control computers remotely, the Andariel group used one of two passwords: “iamboss” or “youaredied,” according to a person familiar with Andariel’s techniques.

Andariel has also recently teamed up with BlueNoroff to target a large South Korean financial institution, according to the FSI report. The institution wasn’t identified.

The report helps paint a fuller picture over how North Korea’s digital army has grown into a web of specialist teams.

“The problem is that it’s not just simple attacks anymore with North Korea. It’s more orchestrated now, as if it were a military operation,” said Kim Seung-joo, a Korea University professor who sits on a South Korean government cybersecurity advisory team.

The broader Lazarus group, discreet and meticulous in covering its tracks, has specialized in breaching computers or networks, foreign and South Korean cybersecurity experts said. BlueNoroff then follows up with the actual heists or data swipes with less regard for cloaking its moves.

Outside of South Korea, the Lazarus group has recently set its sights on casinos, financial-trade software firms—and even organized-crime rings, said Vitaly Kamluk, a global research and analysis director at Kaspersky Lab, who is focused on the Asia-Pacific region.

“It sounds like a perfect crime,” Mr. Kamluk said. “When you steal from a thief, nobody will go after you. Law-enforcement will focus on the criminal that stole the money in the first place.”

Lazarus and BlueNoroff in recent years have made attempts to breach financial companies or institutions in at least 18 countries, including Mexico, Norway and India, according to Kaspersky.